Install Debian on Existing encrypted LVM

Help with issues regarding installation of Debian

Re: Install Debian on Existing encrypted LVM

Postby Eddy_W » 2014-06-06 15:21


I had the same problems with installin Debian (Wheezy (7.5) in an existing, encrypted LUKS-Container with LVM-Volume-Group inside and a non-encrypted boot partition outside the LUKS-Container. I solved it the following way:

First backup the file /etc/crypttab from your "old system" installed in the LUKS-container you want to reuse, if existing. You can use it to easy restore your system later on.
I choosed the normal installation (not expert). This installation does not load "cryptsetup" into it's installation kernel for some reasons. Therefore you have to switch with "<CTRL>+<Alt>+2" to another terminal right at the beginning of the installation (before you choose your language) and "mark" the packages "cryptsetup-udeb" and "crypto-dm-modules" to be loaded into the kernel during installation with following commands:
Code: Select all
anna-install cryptsetup-udeb
anna-install crypto-dm-modules

Switch back to the Installtion with <CTRL>+<Alt>+1 and follow the process as ususal till the partitioning part. Here you have to switch again into the second terminal. Now you have to decrypt your LUKS container and activate the containing LVM-Volume-Group with following commands:
Code: Select all
modprobe dm-crypt # loading the kernel-module. Didn't load automatically in my case
cryptsetup luksOpen /dev/sdxY sdxY_crypt # Opens Luks container (xY has to be adapted to local settings, e.g sda5)
vgscan # detects existing LVM-Volume-Groups
vgchange -a y 'Name-of-LVM-Volume-Group' # Activates LVM-Volume-Group (check output from vgscan for the right name)

After this, switch back to the Installtion and rescan the Hardware by going one step back in the installation. After rescanning you should end up in the manuell partitioning menu. Here the first step is to configure the LVM-Volume-Group. It has to be done to reuse your existing LVM-Group. Nothing has to be change on the LVM-Volume-Group here, as long as you don't want to of course. Be careful in this step and don't accidently format a partition you don't want to format. When you start the LVM-Volume-group configuration and the prompt doesn't mention anything about formating a certain partition, nothing should happen to your data, when you continue.
After that you choose the partition(s) you want your system and /boot installed on as you would normally do and follow the installation.

Before choosing your additional software you should switch again to the 2nd terminal and install cryptsetup. Instead it won't be installed in the final system, for whatever reason.
Code: Select all
apt-install cryptsetup

Now, finish the installation and reboot the system from a live system (in my case Lubuntu 14.04). The normal boot to your fresh installed system will fail because it doesn't decrypt the LUKS-container.

Start a terminal in the Live-System and prepare a chroot session by mounting following devices:
Code: Select all
sudo cryptsetup /dev/sdxY sdxY_crypt # Opens the LUKS-container
sudo mount /dev/mapper/'LV-with-installed-system-on' /mnt
sudo mount /dev/mapper/'LV-with-home-folder-on /mnt/home # If necessary
sudo mount /dev/sdxY /mnt/boot # mount non-encrypted boot partition

Get acces to important Hardware and System-information:
Code: Select all
sudo mount -t devtmpfs /dev /mnt/dev
sudo mount -t devpts /dev/pts /mnt/dev/pts
sudo mount -t sysfs /sys /mnt/sys
sudo mount -t proc /proc /mnt/proc
sudo cp /proc/mounts /mnt/etc/mtab

Finally enter the chroot environment:
Code: Select all
sudo chroot /mnt /bin/bash

I didn't had internet connection in the chroot-environment but you don't need it when cryptsetup was installed during installation.

Now the file /etc/crypttab must be edited with an editor. The easiest way is to restore the content from a backup version from your "old system" which was installed in the same LUKS-container before. However you can easily create a new entry.

Code: Select all
nano /etc/crypttab

and add the line:

sdxY UUID="UUID-of-sdxY" none luks

Find out the UUID with:
Code: Select all
sudo blkid /dev/sdxY

Afterwards you should update your initrd.img with following command to save the new settings and make it available to grub for booting:
Code: Select all
update-initramfs -k all -c -t

There shouldn't be any warning popping up like "cryptsetup: WARNING: invalid line in /etc/crypttab". If so, make sure that you mounted your LUKS-Container with the same name used in /etc/crypttab (sdxY_crypt is the best choice). When you have no warning, you can leave the chroot environment with "exit" and reboot the system.
After booting your fresh installed Debian system everything should work and you should be asked for the passphrase to decrypt your LUKS-container.

Most if my informations I got from these pages and this thread. So for additional help check out: (German)

Best wishes
Posts: 1
Joined: 2014-06-06 13:27

Re: Install Debian on Existing encrypted LVM

Postby maddes » 2016-03-02 21:11

Thanks to Eddy_W I was able install Debian on my existing LUKS+LVM partition setup.
I found some more Information for Debian 8 "Jessie" and the upcoming Debian 9 "Stretch".
Therefore I post how I setup Debian 8 on my system, where the system booted correctly directly after Installation.
Still it is recommended having a live media at hand.

#0 Preparation
  • Get the installer image of the wanted Debian version.
    This guide has been tested with Debian 7 "Wheezy", 8 "Jessie" and 9 "Strecth" (installer alpha5).
    But should work on other versions too (maybe you have to manually load lvm2-udeb, lvmcfg-utils, mdadm-udeb, md-modules, mdcfg-utils, etc.).
  • Get the corresponding live image of that Debian version with the preferred desktop.
    Check that the live version boots on the system.
    Check how to change the keyboard layout and that it applies to a terminal session, as passwords with special characters have to be entered maybe.
  • Make a backup of /etc/crypttab from the old installation.
    Placing it on a usb stick/drive is recommended, but it can also be put on a separate partition of the system (if it's not intended to format this partition, e.g. /home).
  • Make a backup of all important data from the old installation that is located on the root partition.
    As it is recommended to format the root partition to have a clean installation.
    Therefore it is also recommended to have a separate partition for /home and maybe other mounts like /var, /srv, /opt depending on your needs.
  • This guide works with the text and graphical installer, differences between these are noted where they apply.
  • During installation several terminal consoles will be accessed via CTRL+ALT+Fx.
    Here is a list of these with their corresponding number:
    #1 Text Installer -or- Log from Graphical Installer itself
    #2 free (will be used for shell access to execute additonal tasks)
    #3 free
    #4 Installation Log (APT, etc.)
    #5 Graphical Installer
  • Expert Install mode is not necessary, but provides more options and steps are not running automatically.
  • Debian Installer (d-i) manual is available at
  • US keymap available at ... al_layouts
  • Comments after a command (" ; #...") must not be entered.

IMPORTANT is that the commands are exactly executed at the mentioned step of the installation.
Otherwise the file systems on the LVM partition won't get recognized, and you have to start over again from the beginning.

#1 Directly at the beginning of the installation (at least before selecting the keymap)
  • Switch to console #2
  • Press enter to activate the console.
    At this time the keymap will be US only.
  • Queue some UDEB packages for later installation.
    BEWARE OF TYPOS, the package name is not checked at this time and you only have US keyboard layout!
    Do not DEL key at all, and do not use TAB when entering package names.
    Code: Select all
    anna-install cryptsetup-udeb
    anna-install crypto-dm-modules
    anna-install crypto-modules
  • Switch to console #4
  • Check that the package names have no typos, e.g. CRYPTsetup vs. cryptO-..., or weird chars (e.g. tab, del).
  • Switch back to installer console.
  • Continue setup.

#2 Directly when configuring hostname (at least before defining all users)
  • Switch to console #2
  • Make sure the selected keymap (in /etc/default/keyboard) is applied to terminal console.
    Especially the Graphical Installer does not do that.
    This is important to enter the password correctly.
    Code: Select all
  • Open the encrypted partition so that the file systems on it are recognized by the partitioner "partman".
    Shell variables are used to avoid typos and use consistent names.
    Code: Select all
    DMNAME="${DEV##/dev/}_crypt" ; # sets variable to "sdXn_crypt"
    cryptsetup luksOpen $DEV $DMNAME
    ls /dev/mapper

    If anything went wrong (var name), then close the encrypted partition and repeat previous commands.
    Code: Select all
    cryptsetup luksClose $DMNAME
  • Switch back to installer console.
  • Continue setup.

#3 Directly when partitioner ("partman") comes up
  • Switch to console #2
  • Check that LVM volumes are active. Otherwise activate them.
    Code: Select all
    vgscan ; # detect all volume groups
    vgchange -a y <vg> ; # activate all volumes of a volume group
  • Switch back to installer console.
  • DO NOT continue setup.
    GO BACK ONE STEP to "Detect disks".
  • All LVM partitions should be available INCLUDING their file systems.
    If not, e.g. no file systems, then it is likely that something was done wrongly and start over again from the beginning.
  • Now map the partitions as usual while keeping their file system under "Use as".
    Do not forget the extra boot partition.
    Do not format the partitions if you want to keep their data.
    It is suggested to format the root (/) and boot (/boot) partitions. Make sure there is a backup of the individual data that is/was stored on it.
  • Continue setup.

#4 Directly when Software Selection comes up (before installing additional software, e.g. desktop, etc.)
  • To create a correctly working initrd make sure cryptsetup is installed in /target, if not add it via apt-install.
    On 8.0 and later cryptsetup should be already installed, otherwise use apt-install.
    Code: Select all
    ls /target/sbin/crypt*
    apt-install cryptsetup
  • Create /etc/crypttab in /target (or copy your old crypttab to the new system, e.g. from a USB stick or one of your LVM volumes under /target (e.g. /target/home)).
    Code: Select all
    cat /target/etc/crypttab
    printf "$DMNAME\tUUID=%s\tnone\tluks\n" "$(cryptsetup luksUUID $DEV)" >>/target/etc/crypttab
    # or from USB
    list-devices usb-partition
    mount /dev/sdXn /mnt
    cp /mnt/crypttab /target/etc/crypttab
    umount /mnt
    cat /target/etc/crypttab
    nano /target/etc/crypttab

If your system does not boot then you have to create a new initramfs in a chroot environment via a live medium, as mentioned above by Eddy, but I also had to bind some LVM related directories.
Code: Select all
mount -o bind /dev /mnt/dev
mount -o bind /dev/pts /mnt/dev/pts
mount -o bind /dev/shm /mnt/dev/shm
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /run /mnt/run
mount -o bind /run/lock /mnt/run/lock

Posts: 1
Joined: 2016-03-02 20:01


Return to Installation

Who is online

Users browsing this forum: No registered users and 6 guests